Chapter 3 Review Questions SEC330
Which of the following are Layer 2 encryption methods defined by the 802.11‐2012 stan- dard? (Choose all that apply.)
A , D, E. WEP, TKIP, and CCMP are de ned by the IEEE 802.11-2012 standard. GCMP is an encryption method standardized in the 802.11ad-2012 amendment and is an optional method de ned under the 802.11ac-2012 amendment for VHT data rates. WPA and WPA2 are certi cation testing standards de ned by the Wi-Fi Alliance.
The CCMP header is made up of which of the following pieces? (Choose all that apply.)
A , D. The CCMP header includes the Key ID and the packet (PN), which is divided into 6 octets. The format of the CCMP header is basically identical to the format of the 8-octet TKIP header (IV/Extended IV). The CCMP header is not encrypted.
Andy calls the help desk for assistance with sending an encrypted message to Chris. With- out knowing what type of security protocol and encryption Andy and Chris are using, which of the answers here could make the following scenario true? In order for Andy to send an encrypted message successfully to Chris, Andy is told to enter on his computer; Chris needs to enter on his computer. (Choose all that apply.)
A , D. When using asymmetric encryption, the message is encrypted with the public key and decrypted with the private key. An asymmetric encryption protocol uses different keys to encrypt the data and decrypt the data. A symmetric encryption protocol uses the same key to encrypt the data and decrypt the data.
Which of the following encryption methods use symmetric algorithms? (Choose all that apply.)
A, B, D. WEP, TKIP, and CCMP use symmetric algorithms. WEP and TKIP use the ARC4 algorithm. CCMP uses the AES cipher. Public-key cryptography is based on asymmetric communications.
The IEEE 802.11‐2012 standard states which of the following regarding 802.11n data rates and encryption? (Choose all that apply.)
A, B. The migration from TKIP to CCMP can be seen in the IEEE 802.11n amendment, the IEEE 802.11ac amendment, and the IEEE 802.11-2012 standard, which all state that High Throughput (HT) or Very High Throughput (VHT) data rates are not allowed to be used if WEP or TKIP is enabled.
CCMP is an acronym made up of multiple components. Which of the following is an expanded version of this acronym? (Choose all that apply)
A, C, D. CCMP is the acronym for Counter Mode with Cipher-Block Chaining Message Authentication Code Protocol. Counter Mode is often represented as CTR. Cipher-Block Chaining is CBC. CBC-MAC is the acronym for Cipher-Block Chaining Message Authenti- cation Code.
3DES has effective key sizes of how many bits? (Choose all that apply.)
A, C, E. 3DES de nes three keying options: Keying Option 1 Keying Option 2 Keying Option 3 All three keys are unique. K1 and K2 are unique, but K3 = K1. All three keys are identical: K1 = K2 = K3. Keying option 1 is the strongest, because all three keys are unique, giving it an effective key size of 168 bits. Keying option 3 is the weakest, and is essentially equal to very slow DES. Remember that with a symmetric algorithm, the same key that encrypts the data also decrypts the data. With 3DES, after the rst pass with K1 encrypts the data, the second pass with K2 actually decrypts the data, and the third pass with K3 encrypts the data again. Keying option 2 provides an effective key size of 112 bits.
Which of the following are encryption algorithms specified by the IEEE 802.11‐2012 stan- dard to be used for data encryption? (Choose all that apply.)
A, F. ARC4 is used in WEP and TKIP, and AES is used in CCMP. RC5 is a symmetric block cipher design by Ron Rivest. IPsec is a protocol suite that uses other encryption pro- tocols, and it is not de ned by the 802.11-2012 standard. DES and 3DES are symmetric block ciphers, part of the NIST FIPS standard.
CCMP/AES encryption adds an extra of overhead to the body of an 802.11 data frame.
A. CCMP/AES encryption will add an extra 16 bytes of overhead to the body of an 802.11 data frame. Eight bytes are added by the CCMP header and 8 bytes are added by the MIC. WEP encryption will add an extra 8 bytes of overhead to the body of an 802.11 data frame. When TKIP is implemented, because of the extra overhead from the extended IV and the MIC, a total of 20 bytes of overhead is added to the body of an 802.11 data frame.
CCMP/AES uses a temporal key and encrypts data in blocks.
A. The AES algorithm is de ned in FIPS PUB 197-2001. All AES processing used within CCMP uses AES with a 128-bit key and a 128-bit block size.
AES supports three key lengths of 128, 192, and 256. The number of rounds performed for AES‐128 is , for AES‐192 is , and for AES‐256 is . (Choose all that apply.)
B, C, D. AES uses a block size of 128 bits, which is actually a 4 × 4 array of bytes, called a state. The number of rounds performed on the block varies depending on the key sizes. AES-128 performs 10 rounds, AES-192 performs 12 rounds, and AES-256 performs 14 rounds.
A data integrity check known as Message Integrity Code (MIC) is used by which of the fol- lowing? (Choose all that apply.)
B, C. A stronger data integrity check known as a Message Integrity Code (MIC), or by its common name, Michael, was introduced with TKIP to correct some of the weaknesses in WEP. CCMP also uses a MIC. AES and DES are encryption algorithms and are not con- cerned with message integrity.
Given that additional authentication data (AAD) is constructed from portions of the MPDU header and that the information is used for data integrity, which fields of the MAC header comprise the AAD? (Choose all that apply.)
B, D, E, F. Certain elds in the MPDU header are used to construct the additional authentication data (AAD). The MIC provides integrity protection for these elds in the MAC header as well as in the frame body. All of the MAC addresses, including the BSSID, are protected. Portions of the other elds of the MAC header are also protected. Receiving stations will validate the integrity of these protected portions of the MAC header. For example, the frame type and the distribution bits, which are sub elds of the Frame Control eld, are protected. The AAD does not include the header Duration eld, because the Duration eld value can change due to normal IEEE 802.11 operation. For similar reasons, several sub elds in the Frame Control eld, the Sequence Control eld, and the QoS Control eld are masked to 0 and therefore not protected. For example, the Retry bit and Power Management bits are also masked and not protected by CCM integrity.
When using an encryption suite that implements an asymmetric algorithm, which of the fol- lowing statements is true? (Choose all that apply.)
C, D. Asymmetric algorithms use a pair of keys—a private key that is used for decryption and a public key that is used for encryption. Asymmetric algorithms generally require more computer processing power than symmetric algorithms.
The Rijndael algorithm was the foundation for which of the following ciphers?
C. AES is based on the Rijndael algorithm. CCMP is an encryption protocol that uses the AES cipher. TKIP uses ARC4. DES and 3DES are both block ciphers unrelated to Rijndael.
Which of the following is a FIPS encryption standard that uses a single 56‐bit symmetric key? (Choose all that apply.)
C. RC4 and RC5 were never FIPS encryption standards. 3DES is a FIPS encryption stan- dard, but it uses three keys with an effective key size of 168 bits. AES is a FIPS encryption standard with key sizes of 128, 192, and 256 bits.
TKIP/ARC4 encryption adds an extra of overhead to the body of an 802.11 MPDU.
C. When TKIP is implemented, because of the extra overhead from the extended IV and the MIC, a total of 20 bytes of overhead is added to the body of an 802.11 MPDU. CCMP/AES encryption will add an extra 16 bytes of overhead to the body of an 802.11 MPDU. WEP encryption will add an extra 8 bytes of overhead to the body of an 802.11 MPDU.
Given that CCMP uses a MIC for data integrity to protect the frame body and portions of the MAC header, what information needs to be constructed to protect certain fields in the MAC header?
D. Additional Authentication Data (AAD) is constructed from portions of the MPDU header. This information is used for data integrity of portions of the MAC header. Receiv- ing stations can then validate the integrity of these MAC header elds. The MIC protects the AAD information and the frame body for data integrity.
An HT client STA is transmitting to an HT AP using modulation and coding scheme (MCS) #12 that defines 16‐QAM modulation, two spatial streams, a 40‐MHz bonded channel, and an 800 ns guard interval to achieve a data rate of 162 Mbps. According to the IEEE, which types of encryption should be used by the HT client STA? (Choose all that apply.)
D. The IEEE 802.11n amendment states that an HT station should not use WEP or TKIP when communicating with other STAs that support stronger ciphers. HT STAs should not use pre-RSNA security methods to protect unicast frames if the RA or address 1 of the Chapter 3: Encryption Ciphers and Methods 559 frame corresponds to an HT STA. On September 1, 2009, the Wi-Fi Alliance also began requiring that all HT radios (802.11n) not use TKIP when using HT data rates. TKIP is also not supported for VHT radios (802.11ac) when using VHT data rates.
Which of the following is a random numerical value that is generated one time only and is used in cryptographic operations? (Choose all that apply.)
E. A pseudo-random function creates a pseudo-random value; however, this is simply a process to generate a number. There are no restrictions on how many times this function or value is used. A one-time password is a password that is used once; it is not necessarily random. Single-sign on is a way of providing a single login process for accessing multiple systems or resources. A throw-away variable does not exist.